CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

VariantIncomplete

Description

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Hierarchy (View 1000)

Parents

CWE-915

Children

none

Related attack patterns (CAPEC)

CAPEC-1 · CAPEC-180 · CAPEC-77

CVEs mapped to this weakness (488)

page 10 of 25

CVE	Vendor / Product	CVSS	EPSS	Published	Description
CVE-2025-57321	—	—	0.00	Sep 24, 2025	A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-57328	toggle-array toggle-array	—	0.00	Sep 24, 2025	toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject…
CVE-2025-57326	—	—	0.00	Sep 24, 2025	A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-57324	—	—	0.00	Sep 24, 2025	parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload,…
CVE-2025-57330	web3-core-subscriptions web3-core-subscriptions	—	0.00	Sep 24, 2025	The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a…
CVE-2025-57348	node-cube node-cube	—	0.00	Sep 24, 2025	The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper…
CVE-2025-57329	web3-core-method web3-core-method	—	0.00	Sep 24, 2025	web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted…
CVE-2025-57320	json-schema-editor-visual json-schema-editor-visual	—	0.00	Sep 24, 2025	json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a…
CVE-2025-54803	Sunnyadn Js Toml	—	0.00	Aug 5, 2025	js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. In versions below 1.0.2, a prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML…
CVE-2025-49223	Naver Billboard.js	—	0.01	Jun 4, 2025	billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2025-5150	docarray docarray	—	0.00	May 25, 2025	A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object…
CVE-2025-31475	Amauric Amauric/tarteaucitron.js	—	0.01	Apr 7, 2025	tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the…
CVE-2024-38988	alizeait unflatto	—	0.00	Mar 28, 2025	alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-38985	janryWang depath	—	0.00	Mar 28, 2025	janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary…
CVE-2024-57083	Redoc Redoc	—	0.00	Mar 28, 2025	A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2025-25975	—	—	0.00	Mar 12, 2025	An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function
CVE-2025-25977	—	—	0.00	Mar 10, 2025	An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
CVE-2023-0163	Mozilla Corporation Node Convict	—	0.00	Nov 26, 2024	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type,…
CVE-2024-48910	Cure53 Dompurify	—	0.03	Oct 31, 2024	DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
CVE-2024-45277	SAP HANA JDBC Client	—	0.00	Oct 8, 2024	The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature…

CVE-2025-57321Sep 24, 2025
risk 0.00cvss —epss 0.00
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-57328Sep 24, 2025
toggle-array
toggle-array
risk 0.00cvss —epss 0.00
toggle-array is a package designed to enables a property on the object at the specified index, while disabling the property on all other objects. A Prototype Pollution vulnerability in the enable and disable function of toggle-array v1.0.1 and before allows attackers to inject…
CVE-2025-57326Sep 24, 2025
risk 0.00cvss —epss 0.00
A Prototype Pollution vulnerability in the byGroupAndType function of sassdoc-extras v2.5.1 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-57324Sep 24, 2025
risk 0.00cvss —epss 0.00
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload,…
CVE-2025-57330Sep 24, 2025
web3-core-subscriptions
web3-core-subscriptions
risk 0.00cvss —epss 0.00
The web3-core-subscriptions is a package designed to manages web3 subscriptions. A Prototype Pollution vulnerability in the attachToObject function of web3-core-subscriptions version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a…
CVE-2025-57348Sep 24, 2025
node-cube
node-cube
risk 0.00cvss —epss 0.00
The node-cube package (prior to version 5.0.0) contains a vulnerability in its handling of prototype chain initialization, which could allow an attacker to inject properties into the prototype of built-in objects. This issue, categorized under CWE-1321, arises from improper…
CVE-2025-57329Sep 24, 2025
web3-core-method
web3-core-method
risk 0.00cvss —epss 0.00
web3-core-method is a package designed to creates the methods on the web3 modules. A Prototype Pollution vulnerability in the attachToObject function of web3-core-method version 1.10.4 and before allows attackers to inject properties on Object.prototype via supplying a crafted…
CVE-2025-57320Sep 24, 2025
json-schema-editor-visual
json-schema-editor-visual
risk 0.00cvss —epss 0.00
json-schema-editor-visual is a package that provides jsonschema editor. A Prototype Pollution vulnerability in the setData and deleteData function of json-schema-editor-visual versions thru 1.1.1 allows attackers to inject or delete properties on Object.prototype via supplying a…
CVE-2025-54803Aug 5, 2025
Sunnyadn
Js Toml
risk 0.00cvss —epss 0.00
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. In versions below 1.0.2, a prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML…
CVE-2025-49223Jun 4, 2025
Naver
Billboard.js
risk 0.00cvss —epss 0.01
billboard.js before 3.15.1 was discovered to contain a prototype pollution via the function generate, which could allow attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2025-5150May 25, 2025
docarray
docarray
risk 0.00cvss —epss 0.00
A vulnerability was found in docarray up to 0.40.1. It has been rated as critical. Affected by this issue is the function __getitem__ of the file /docarray/data/torch_dataset.py of the component Web API. The manipulation leads to improperly controlled modification of object…
CVE-2025-31475Apr 7, 2025
Amauric
Amauric/tarteaucitron.js
risk 0.00cvss —epss 0.01
tarteaucitron.js is a compliant and accessible cookie banner. A vulnerability was identified in tarteaucitron.js prior to 1.20.1, where the addOrUpdate function, used for applying custom texts, did not properly validate input. This allowed an attacker with direct access to the…
CVE-2024-38988Mar 28, 2025
alizeait
unflatto
risk 0.00cvss —epss 0.00
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/index.js. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-38985Mar 28, 2025
janryWang
depath
risk 0.00cvss —epss 0.00
janryWang products depath v1.0.6 and cool-path v1.1.2 were discovered to contain a prototype pollution via the set() method at setIn (lib/index.js:90). This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary…
CVE-2024-57083Mar 28, 2025
Redoc
Redoc
risk 0.00cvss —epss 0.00
A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.
CVE-2025-25975Mar 12, 2025
risk 0.00cvss —epss 0.00
An issue in parse-git-config v.3.0.0 allows an attacker to obtain sensitive information via the expandKeys function
CVE-2025-25977Mar 10, 2025
risk 0.00cvss —epss 0.00
An issue in canvg v.4.0.2 allows an attacker to execute arbitrary code via the Constructor of the class StyleElement.
CVE-2023-0163Nov 26, 2024
Mozilla Corporation
Node Convict
risk 0.00cvss —epss 0.00
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to override existing attributes with ones that have incompatible type,…
CVE-2024-48910Oct 31, 2024
Cure53
Dompurify
risk 0.00cvss —epss 0.03
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
CVE-2024-45277Oct 8, 2024
SAP
HANA JDBC Client
risk 0.00cvss —epss 0.00
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature…